What North American Businesses Need to Know about Gdpr
On May 25, 2018, the European Union will implement the General Data Protection Regulation (GDPR) to give its citizens more control over how their data is tracked and used. However, the GDPR implications extend far beyond Europe's borders, impacting websites around the world. If you are a North American business, you also need to comply with the GDPR regulations when someone from the EU lands on your website. This means that you must ensure that you are not collecting any data on them and/or marketing to them without first asking for their explicit consent. This could affect your Google Analytics tracking, your Facebook advertising strategy, and more. Failure to comply could result in steep fines, no matter how big or small your business is. In this Facebook Live, we will demystify the intricacies of the GDPR and offer real-world solutions to help your website and marketing activities become compliant. We will cover: • What is the GDPR and who does it affect? • Review key terms: data controller, data processor, consent, personal data, etc. • Your responsibilities and the consequences of non-compliance • How will your Facebook marketing and tracking be affected? • How will your Google Analytics, Ad Words, and associated services be affected?
Tip: Highlight text to annotate itX
Hi everybody, so we heard that there were some issues on the audio on our Facebook Live.
And we watched a little bit of it and it kind of look like you’re doing the Mr. Robot. That was great.
So, ok. So we decided that we’ll record this fundamental uploaded so this a test of how many times
you can see GDPR in one day - Oh my God. So what we’re going to do is run through whole thing again,
apologies for repetition but hopefully this version will be a lot easier to follow. So
with that, Jen. Alright, well thank you, welcome back. We’re covering what your North American
business needs to know about GDPR. I’m Jen McDonnell, I’m joined by Steve Buors again. Yup, Hi
again. Yeah we’re from Reshift Media, so a little bit about us, We’re a digital marketing
agency and we work with a wide variety of businesses across 20 countries and we help
them with website development, social media, search and software development. And today
today we’re going to talk about GDPR. Well done, you said it right. Thanks! I'm gonna say it 20 more times.
So first of all, what is it? What is GDPR? Some keyterms you have to be aware of. What are responsibilities? Fines and consequences for not compliance.
And then the next stuff is what do you need to do to make sure you’re ready for it.
And then we’re going to specifically dive into Facebook, Google Analytics and Google AdWords
So you can actually find a lot of information about this at Reshiftmedia.com/GDPR
so we have a whole blog series, if you have any questions you can either comment on the blog,
or you can comment on our Facebook page as well and we’ll do our best to answer them.
Okay so what is GDPR? GDPR stands for GDPR stands for the General Data Protection Regulations.
So this a new regulation coming into force in the European Union and it comes into
effect on May 25, 2018, so it comes into effect this month.
Basically the idea of it is to give European citizens more control
over how their personal info is tracked, collected, stored & used. Now you might be thinking
this doesn’t apply to me and I’m a North American company and I don’t care. Now that’s
not true though, because the way it works is this is pertinent to European citizen, so what that means
is that someone over here in Europe, if they come to your website even if you’re
based in North America and they hit that website that counts.
So even North American companies, or frankly any website around the world, if European citizen comes
to your website, you are absolutely bound to the GDPR so if you’re doing any kind of tracking on your website
such as Google Analytics, collecting email addresses, or doing any type of digital marketing,
it will almost certainly will affect you. So whether you do business in the EU or not,
if you have a website on the internet someone could visit your website from the EU and therefore
it is absolutely your responsibility to not be in violation of GDPR.
And then just to add fun little wrinkle, Facebook recently announced that they are requiring some
“GDPR like” practices worldwide, so even if you aren’t dealing with EU citizens, your Facebook marketing
activities are still going to need to change by May 25th and not a lot of people are ready yet,
so according to the Globe & Mail, a recent study says only 12% of businesses say they
are ready for GDPR rules so we’re here to get you ready and we’ll going to tell you
more about it, and we’re going to tell you what you should be working on right now so
that you don’t break any rules by May 25th.
So obviously we’ve researched about this a lot, we’re a digital marketing company,
we’re implanting GDPR compliances for a whole bunch of our clients. But we’re not
legal experts so anything we talk about here is that you need to apply to your business
and you should be talking to your own legal counsel because every business is different,
so what make sense to one company, might be slightly different for another, so although everything
we’re telling you here is thoroughly researched and certainly is our marketing
best practices but doesn’t replace good advice from qualified legal professionals which
isn’t necessarily us. We’re not lawyers per se, I probably said that last webinar,
so do talk to your lawyers with everything you’re implementing for GDPR. So let’s start with some key terms, when we’re talking
about GDPR, there’s a few things you need to be aware of, so personal data, consent,
data controller, data processor. These are term that people use to talk about GDPR compliance.
So personal data is is any kind of information that can be used
to identify someone, directly or even indirectly. So this includes cookies, IP Address, email address
location data, a person’s name. All that is personal information
that can be used to identify someone. Now the thing is when you’re gathering personal
data you need consent so consent is kind of the big thing in GDPR so if you’re getting
any data from an EU resident, you have to get what’s called explicit consent, so we’ve
all come to a website and you see this little bar at the bottom and it says hey buddy, if
you’re using this website do you hereby agree to our terms and conditions, that’s
implicit consent, you’re just telling the person you’re tracking them and in this
case GDPR taken a step further, where you’re actually not allowed to track them until they explicitly
say yes, go ahead. So that particular form of a button on this bar that I agree or I
consent or go ahead or whatever that is but until that person clicks that button, they
have not provided explicit consent. And it’s really important you get that before you start
tracking data. As of May 25th you’re going to see a lot more of these cookie bars, and
that's why. And it’s really important that you’re clear that the person agrees to the tracking so
it can’t be one of those cookie bars that just says “by using this site that I hereby
agree.” You need to be clear about the data you’re gathering so how that data is going
to be used, why you’re gathering it and that means you need to update your terms and conditions
for your website certainly or your privacy policy or cookie policy or whatever it is.
And the big thing is even if they don’t agree, you can’t force them, so you can’t
close down the whole website and make them agree before they can access it, they still
have to be able to access to your website and use it the normally even though they don’t
agree to the data tracking...
There are two terms you’re going to hear over and over again whenever we talk about GDPR
and that is data controller and data processor and
so let’s talk about what exactly that means. So data controller
So, this is the person that decides the ‘purposes’ and ‘means’ of any processing of that
personal data. So the business or the person will face the consequences if there are any misuses of data.
So for most part, it’s a business that actually is going to be, you’re probably the
one that’s the data controller so even if you added code to your website to collect
data like Google analytics codes or FB pixel, you are the one who made the decision to add
that code so you’re the one whose actually responsible.
And the data processor is usually the person/system that analyzes the data so for example, even
though you are the data controller and you’re using the Google Analytics code on your website,
Google is actually the data processor...
So, we got the boring things out of the way,
so let’s talk about what we really want to talk about which is what is your responsibility
as a business owner what you need to do. So if you have a website with tracking code on
it, you are most often the “data controller”. That means anytime someone from the EU hits
your website, you are responsible for a whole bunch of things. First you have to obtain
explicit consent anytime you collect any kind of personal data from an EU citizen. So that
means anytime anyone from the EU comes to your website, you need them to click a button
or tick a box saying hey I agree that you’re going to be collect some data from me before
your tracking code on your website even activates. So this is going to have really really big
ramifications for any ad tracking code such as the Google Pixel or if you’re doing
any Google Analytics and Adwords tracking as well. You also have to contact any EU citizens
whose personal data you currently have and obtain lawful informed consent if you didn’t
do it when you first collected their information. So the other option you have is to completely
remove them from your database prior to May 25th. You may have seen a lot of emails going
out that says resubscribe or I agree, this is why that's happening. You also have to
keep a detailed database of everyone who has consented to having their data collected along
with proof that they actually agreed to it so you need to say where you got the consent,
through what medium, what date they gave it on and so far. The other thing that you have
to do is you have to a clear and viable way for EU citizens to withdraw consent at any
time so they can have all their information erased, they can change their preferences
and they can even access their data, if they ask to have access to their data, you have to give them
that data within one month of that request and you also have to provide requested data
free of charge and in a really easily accessible format. And just two more! To obtain consent
again if you want to use data in a new manner that was not consented to you before, you
have get constant again. So very confusing but let’s say you had people sign up for
your email newsletter so you got their email that way if then you want to use that email
to remarket to them you must get consent to do so in doing forward and the last thing
is to properly implement security measures to protect that data to inform people if their
data has become compromised and you have to do it within 72 hours...
Ok so in short, let’s boil this down, if you have someone
from the EU that visits your site it’s your responsibility to get consent in order to gather and store their personal information, you have to tell
them exactly what you are tracking and why you’re tracking it, and that information
has to be stored in secure fashion. Now if you’re in Canada, you should be CASL compliant
which means you probably already have some of these measures in place already.
So for you, probably the biggest change for you is not just getting consent when someone
fills in a form, which you should be doing already, but also before any of your tracking code, so you’re going to need something
like this where you’re asking for consent before you fire Facebook Pixel or Adwords
code. Now if you’re in the US, you don’t have CASL there so you could very well be
that you have a little bit more work to do to make sure you’re compliant with GDPR for when
those European citizens come to your website. Now what’s interesting about this is although
this only applies EU citizens, but there are rumblings from the Canadian and US government that
they may follow the EU’s lead on this and they may look at some similar types of regulations
so just be aware of that and we’ll still keep an eye on that to see what happens there
and we also have some additional wrinkles for Facebook which we’ll be talking about in just a minute.
So this is what you’re probably thinking
right now, this is a lot of work, what happens if I just don’t do it? So let’s talk
about fines and consequences of non-compliance to GDPR. So if you are still collecting personal
data on EU citizens after May 25, You could really really face some hefty fines. So any
EU person who has their information unlawfully collected has the right to compensation.
You may be subject to administrative fines up to 20 million EUROS or 4% of your company’s
worldwide annual revenue from the previous year, whichever amount is higher...
Higher, because 20 million EUROS isn't enough.
It’s a lot so you should really do something. So what should you do? Here’s our first
step so first of all conduct an audit of your website, email/newsletter collection, and
Facebook marketing activities, whatever you’re doing that collects data about people so when
conducting an audit, things to consider. What data do you have? Where did that data come from?
Who are you sharing it and how are you storing it? And then determine what information
you have that explicitly pertains to EU residents. You should also review any third-party service
that you’re using and just make sure they’re GDPR-compliant. Also review your privacy policy,
this is probably going to have you change, you’re probably going to have to add some
language specifically about this sort of thing, so go over it with your lawyer and makes sure
you’re covered there. Also review your contact forms so if you have a form on your website
where people are giving you their name, phone number or whatever information you’re asking
for make sure you’re getting peoples’ explicit consent with a checkbox even if they’re
just signing up for a newsletter. So luckily if you’re in Canada, a couple years ago
the Canadian anti-spam legislation came into place so you probably have already strong
opt-in language because of CASL and the opt-in box likely isn’t already pre-checked as
the default because that’s one of the rules they’ve had so you may be able to just kind
of revamp the language a little to include that you’re also going to be using this
for tracking, remarketing or whatever else you’re going to be using it for.
So once you’ve done that analysis, you got an idea where you stand so you know what data you
have and etc. So basically there’s 5 big steps you should be taking before May 25th
once you know where you're at. There's probably a few more, but
in terms of the five big ones. So number one, for any EU citizens you have in your database
– if you don’t have explicit consent to market to them, either get that consent or
number two you can delete them from your database. So first thing is just make sure you have
right consent for any usages. Number two You need to modify your website tracking code
to ensure that you are not tracking EU citizens when they come to your site until they provide
consent. One of the things you could do is not track the people from the EU. If they’re
not important to your business, if they’re a small amount of your traffic or you’re
going to market to them anyway one option is simply when they come to your website don’t
fire them any of your tracking code, very violate course of action. If you do want to able to track
and ask for data from them then you’re going have to do something like this where you’re
implementing this explicit consent. Number three
You need to modify new forms that Jen was talking about, so get explicit consent, again
it can’t be a pre-ticked box, the person has to tick the box themselves saying I hereby
allow you to contact me or remarket to me or whatever it is. Number four you got to
track when someone provides that consent, and ensure you are storing their information
in a secure fashion. And finally number five update your data gathering and retention policy
that’s in your terms and conditions, or cookie policy or privacy policy whatever you
have that information update that so you can very clear about what data you are gathering,
why you are gathering it, and how people can contact you to be able to access it.
Okay so let’s dig deeper into Facebook specifically because as we mentioned earlier, we all know
that Facebook has been having some issues with a little thing called Cambridge Analytica,
not sure if you’ve heard of it but it’s made Facebook more concerned about user privacy
and personal info and securities so as a matter of fact even when Zuckerberg was testifying
in congress he said that Facebook will be soon rolling out GDPR-like protection across
all citizens, not just people in the EU, so this is really going to affect all your Facebook
marketing, all your Facebook tracking not just for your European customers so Facebook
is doing a bunch of things to protect people’s privacy so they are going to roll out some
new tools soon to help protect security. You might have seen it already, when you first
log into Facebook, there’s something at the top that says hey check your settings, things like that, many more options.
They’re really trying to make it easy for you to see what kind apps you’ve already
granted access to so what apps do you have that you’ve allowed people to see your
personal data, it’s also going allow you to really easily delete your Facebook profile
or download all the information you’ve shared on Facebook and then last week that they
announced there’s a tool coming that going to let you to “clear your FB history.”
We’re not really sure what’s that going to look like, we’re not really sure when
it’s going to happen but it’s coming soon. So when it comes to business owners, you have
to be aware of Facebooks new regulations, especially if you have the Facebook Pixel
code on your website, and/or if you are using custom audiences to target ads too.
Speaking of custom audiences, a lot of businesses use custom audiences to target their existing
customers on Facebook. As an example, you can upload all of your newsletter subscribers’
names and email addresses and upload that to the Facebook’s back end, ads manager,
and then you can target ads specifically to existing customers. Really good way to stay
engaged and cross out proxies and stuff like that. And the thing is if you are having been using custom
audience across different ad accounts which a lot of people do, you can’t do that anymore,
there’s no more sharing a custom audience to different ad accounts also if your custom
audience uploaded from your CRM data, newsletter subscribers, customer database and etc. and
if you didn’t get specific consent to remarket to them on Facebook that’s going to be a
bit of a problem for you, so unless you are uploading email addresses where you’ve explicitly
got someone to say yes you can go ahead and remarket to me on Facebook, you’re not allowed
to use those email addresses as a custom audience after May 25th. So even if they don’t live
in the EU, this applies to anyone, anywhere if you don’t have consent to remarket to
them on Facebook you should remove them from your ads manager otherwise breaking Facebook’s
new policies.
And going forward, all data acquired for the purposes of targeting on Facebook has be obtained
with consent and users have know exactly how their data will be used so if you’re planning
to remarket to them on Facebook and etc. And again if you are a Canadian business and you
have people who are opting into emails, a newsletter, what have you, you probably already have a CASL-compliant
opt-in message so in that case, you could just tweak that opt-in messaging to include
Facebook remarketing. That way you can just include this as part of your own process and
always check with your legal team to see what see what language you should use to do so.
Yeah, so that's the Facebook Custom Audience. Let’s talk a little bit about Facebook Pixel. A lot of businesses use a Facebook pixel to
advertise, because you can use it to track the effectiveness of your Facebook ads and
you can track the conversions of your Facebook ads. You can also target ads to your website
visitors on Facebook, so anyone who actually visited any page on your website, or even
if they’ve gone to a specific page on your website like let’s say they made a purchase
on website and they hit the thank you page, you can then target ads to people who actually
hit the thank you page on your site using the Facebook Pixel. So if you have this pixel
installed in your website
going forward you will be required to provide clear and prominent notice on each of your
webpage where the pixels are used that links to a clear explanation that informs people
that you are using the pixel so when you’re using it for the purposes of data aggregation
and remarketing and etc. So still kind of figuring out what's actually happening with this
details on this are still coming out, but at this point Facebook does not look to
be requiring explicit consent like GDPR but they are requiring you to notify people only
so possibly using a button like this, a cookie bar that you would use for GDPR not necessary
required for an action button that says accept, got it, just to notify people that this is
happening. And again, this also comes into effect on May 25th for all citizens not just
European citizens. So as far as we know right now, anyone using the Facebook pixel (which
frankly mostly all of you) will need to update your website with a notification message using
using the functionality such as a cookie bar, and change the way your Facebook pixel is currently firing.
And Facebook has said that they are working on making some changes to the pixel to help
with privacy compliancy, so we don’t really know what’s it going to look like yet but
we will keep the Reshift blog up-to-date with any new developments on that. So last topic
is Google, so two pieces to this, Google Analytics and Google Ad words so we’ll start with
Google Analytics, so this one is a bit tricky because if you have Google Analytics code
on your website, almost everyone uses Google Analytics to track website behaviors and traffic.
It’s possible you’re already collecting personal data that could be IP addresses hashed
personal data, user IDs, it could be cookies, or behavioral profiling. Google Analytics
does all these things and all over these are considered personal data. So if you have EU
citizens coming to your website it is very possible you will require user’s consent before
tracking them via Google analytics. So again if they’re coming to your website before
that GA code fires you got to get that consent, they have to click accept before you can start
tracking them.
Now in order to be to be GDPR-compliant while using Google Analytics, you will need to either
1) anonymize the data before storage and processing begin, or 2) add that cookie bar to the site
that gives notice of the use of cookies and asks for the user’s permission prior to
entering the site. Now what interesting is that Google has actually
implemented a new ability configure your Google Analytics code to anonymize the visitor’s
ID. So what nice about this is you don’t need to create a new Google Analytics account
or you don’t need a new Google Analytics code, which basically it passes in as a special
parameter within the Google pixel that enable IP anonymization. This should make GDPR compliant
and your website developer should be able to do this for you. Now as always there’s
complexity to this so there is an exception in GDPR
The regulations allow, in cases where personal data is used solely for web analytics purposes.
You may not need consent so if in your case, again look at your company and how you use
data and if you’re collecting data and the point is only to track performance of your
website it’s possible that you don’t actually need your users’ consent to do so. But if
you’re collecting any other data and using it for any kind of user profiling or advertising
or any other commercial purposes, then yes you need to absolutely get consent for these
activities under GDPR. Another things to talk about is Google AdWords
so if you are using the AdWords pixel, you’re probably using it for advertising
purposes, so for all EU citizens you will need to obtain consent prior to firing the
Adwords pixel. This applies to any type of tracking and ad targeting using Adwords, AdSense,
AdMob, and DoubleClick Ad Exchange, you will need consent first.
So Google says they’re working on a solution of providing anonymized, non-personalised
ads in the case where consent cannot be obtained. This is a great solution for many website
owners and advertisers, because we can still serve ads without needing to gather consent.
Again, we’re not sure how that’s going to look but we will share info as more details
become available. Just keep an eye on the Reshiftmedia.com blog. Some next steps on google.
In cases when consent has not been obtained
for EU citizens, remarketing advertising, use of customer emails in Adwords should be
stopped by May 25, 2018 so take a look if you have the right consent for any
of the information you’re using. You should be Implementing IP Anonymization
for all people visiting your site from the EU, again I want to be clear that this piece
applies for people coming from the European Unions to your site that when you need an
Anonymization implemented. And you should also be accepting some new
terms in GA Data Processing Terms. GA customers can accept the updated terms within the account
settings. You should be looking at that short term.
Also, you should be looking at updating your Data Retention Controls in GA so it will actually automatically
delete user data after a specific time period. It’s also a good best practice, it doesn’t
impact your overall analytic, it's just getting rid of the individual person's information. It’s good practice in any event.
Also very important in an EU and GDPR compliance perspective, which you should be doing is
conducting an audit of your website data to see if you are getting any Personally Identifiable
Information. So something a lot of people miss is something as simple as sending out
an email or newsletter and someone clicks it and comes to your site, and you pass an
“email= querystring” parameter and you get their personal information. You should
go all through or your pages and all your processes to make sure you’re not passing it or using
it in the URLs, that kind of personal information.. Thank-you pages key place where it often happens so it’s really important
you’re not sending this info to Google Analytics... If there’s one thing we really want to get
across, even though you aren’t based in Europe or not actively targeting an European
audience, this is still going to affect you, so you’re still probably have to make modifications
to your website and to your advertising strategy right away because it all comes to place on
May 25th, so again we mentioned before we have a blog series on Reshiftmedia.com/GDPR
that covers this in detail in case you missed anything. You can always comment on any of
our blogs and we’ll read those comments and you can comment on our Facebook page or
this video or anywhere, like our private messages and we will answer any question you may have
and we hope our command performance and have yourself a great day.
